Introduction to Programming

Stream ciphersThe One Time PadOnline Cryptography Course Dan Boneh

Dan Boneh1Symmetric Ciphers: definitionDef: a cipher defined over is a pair of efficient algs (E, D) where

E is often randomized. D is always deterministic.Dan BonehThe One Time Pad (Vernam 1917)First example of a secure cipherkey = (random bit string as long the message)Dan BonehDefine CT, PT, and key spaces3The One Time Pad (Vernam 1917)msg:0 1 1 0 1 1 1key:1 0 1 1 0 1 0CT:Dan BonehDefine OTP operation: equation and example. Verify correctness.4You are given a message (m) and its OTP encryption (c). Can you compute the OTP key from m and c ? No, I cannot compute the key. Yes, the key is k = m c. I can only compute half the bits of the key.Yes, the key is k = m m. Dan BonehThe One Time Pad (Vernam 1917)Very fast enc/dec !! but long keys (as long as plaintext)

Is the OTP secure? What is a secure cipher?Dan BonehWhat is a secure cipher?Attackers abilities: CT only attack (for now)Possible security requirements: attempt #1: attacker cannot recover secret key attempt #2: attacker cannot recover all of plaintext Shannons idea: CT should reveal no info about PT Dan BonehInformation Theoretic Security (Shannon 1949)Dan BonehInformation Theoretic Security RDef: A cipher (E,D) over (K,M,C) has perfect secrecy ifm0, m1 M ( |m0| = |m1| ) and cCPr[ E(k,m0)=c ] = Pr[ E(k,m1)=c ] where k K Dan BonehExplain impications9Lemma: OTP has perfect secrecy.Proof:Dan BonehNone12Dan BonehLemma: OTP has perfect secrecy.Proof:Dan BonehThe bad news Dan BonehEnd of SegmentDan BonehStream ciphersPseudorandom GeneratorsOnline Cryptography Course Dan Boneh

Dan Boneh15ReviewCipher over (K,M,C): a pair of efficient algs (E, D) s.t. mM, kK: D(k, E(k, m) ) = mWeak ciphers: subs. cipher, Vigener, A good cipher: OTP M=C=K={0,1}nE(k, m) = k m , D(k, c) = k cLemma: OTP has perfect secrecy (i.e. no CT only attacks)Bad news: perfect-secrecy key-len msg-lenDan BonehStream Ciphers: making OTP practicalidea: replace random key by pseudorandom keyDan BonehState PRG syntax17Stream Ciphers: making OTP practicalDan BonehDefine stream cipher18Can a stream cipher have perfect secrecy?Yes, if the PRG is really secure No, there are no ciphers with perfect secrecyNo, since the key is shorter than the messageYes, every cipher has perfect secrecyTemplatevertLeftWhite2Stream Ciphers: making OTP practicalStream ciphers cannot have perfect secrecy !!

Need a different definition of security

Security will depend on specific PRGDan BonehNo more perfect secrecy20PRG must be unpredictableDan BonehDefine unpredictability21PRG must be unpredictableWe say that G: K {0,1}n is predictable if:

Def: PRG is unpredictable if it is not predictable i: no eff adv. can predict bit (i+1) for non-neg Dan BonehSuppose G:K {0,1}n is such that for all k: XOR(G(k)) = 1

Is G predictable ??Yes, given the first bit I can predict the secondNo, G is unpredictableYes, given the first (n-1) bits I can predict the nth bitIt dependsDan BonehWeak PRGs (do not use for crypto)glibc random():r[i] ( r[i-3] + r[i-31] ) % 232output r[i] >> 1Dan BonehLCG is not secure24End of SegmentDan BonehStream ciphersNegligible vs. non-negligibleOnline Cryptography Course Dan Boneh

Dan Boneh26Negligible and non-negligibleIn practice: is a scalar and non-neg: 1/230 (likely to happen over 1GB of data) negligible: 1/280 (wont happen over life of key)In theory: is a function : Z0 R0 and non-neg:d: () 1/d inf. often( 1/poly, for many ) negligible: d, d: () 1/d ( 1/poly, for large )Dan BonehFew Examples() = 1/2 : negligible

1/2 for odd () = 1/1000 for even NegligibleNon-negligible() = 1/1000 : non-negligibleDan BonehPRGs: the rigorous theory viewPRGs are parameterized by a security parameter PRG becomes more secure as increases

Seed lengths and output lengths grow with

For every =1,2,3, there is a different PRG G: G : K {0,1}n() (in the lectures we will always ignore )

Dan BonehAn example asymptotic definitionWe say that G : K {0,1}n() is predictable at position i if:

there exists a polynomial time (in ) algorithm A s.t.PrkK[ A(, G(k) 1,,i ) = G(k) i+1 ] > 1/2 + ()for some non-negligible function ()

Dan BonehEnd of SegmentDan BonehStream ciphersAttacks on OTP and stream ciphersOnline Cryptography Course Dan Boneh

Dan Boneh32ReviewOTP: E(k,m) = m k , D(k,c) = c k

Making OTP practical using a PRG: G: K {0,1}n Stream cipher: E(k,m) = m G(k) , D(k,c) = c G(k)

Security: PRG must be unpredictable (better def in two segments)

Dan BonehAttack 1: two time pad is insecure !!Never use stream cipher key more than once !!C1 m1 PRG(k)C2 m2 PRG(k)Eavesdropper does:C1 C2 m1 m2

Enough redundancy in English and ASCII encoding that: m1 m2 m1 , m2Dan BonehReal world examplesProject Venona

MS-PPTP (windows NT):

kkNeed different keys for CS and SCDan BonehVenona: soviet messages sent from 1941 to 1946, decrypted about 3000 messages.35Real world examples802.11b WEP:

Length of IV: 24 bitsRepeated IV after 224 16M framesOn some 802.11 cards: IV resets to 0 after power cycle

kk

mCRC(m)PRG( IV ll k ) ciphetextIVDan BonehAvoid related keys802.11b WEP:

key for frame #1: (1 ll k)key for frame #2: (2 ll k)

kk

mCRC(m)PRG( IV ll k ) ciphetextIVDan BonehA better construction

kkPRG now each frame has a pseudorandom keybetter solution: use stronger encryption method (as in WPA2)Dan BonehYet another example: disk encryptionDan BonehTwo time pad: summaryNever use stream cipher key more than once !!

Network traffic: negotiate new key for every session (e.g. TLS)

Disk encryption: typically do not use a stream cipherDan BonehAttack 2: no integrity (OTP is malleable)Modifications to ciphertext are undetected and have predictable impact on plaintextmenc ( k )mkdec ( k )mpp(mk)pDan BonehAttack 2: no integrity (OTP is malleable)Modifications to ciphertext are undetected and have predictable impact on plaintextFrom: Bobenc ( k )From: BobFrom: Evedec ( k )From: EveDan BonehBob: 42 6F 62 , Eve: 45 76 65 , Bob Eve: 07 19 0742End of SegmentDan BonehStream ciphersReal-world Stream CiphersOnline Cryptography Course Dan Boneh

Dan Boneh44

Old example (software): RC4 (1987)Used in HTTPS and WEPWeaknesses:Bias in initial output: Pr[ 2nd byte = 0 ] = 2/256Prob. of (0,0) is 1/2562 + 1/2563Related key attacks2048 bits128 bitsseed1 byteper roundDan BonehOld example (hardware): CSS (badly broken)Linear feedback shift register (LFSR):

DVD encryption (CSS): 2 LFSRsGSM encryption (A5/1,2): 3 LFSRsBluetooth (E0): 4 LFSRsall brokenDan BonehOld example (hardware): CSS (badly broken)CSS: seed = 5 bytes = 40 bitsDan BonehCryptanalysis of CSS (217 time attack)For all possible initial settings of 17-bit LFSR do:Run 17-bit LFSR to get 20 bytes of outputSubtract from CSS prefix candidate 20 bytes output of 25-bit LFSRIf consistent with 25-bit LFSR, found correct initial settings of both !!Using key, generate entire CSS output17-bit LFSR25-bit LFSR+ (mod 256)888encrypted movieprefixCSS prefixDan BonehModern stream ciphers: eStreamPRG: {0,1}s R {0,1}n

Nonce: a non-repeating value for a given key.

E(k, m ; r) = m PRG(k ; r)

The pair (k,r) is never used more than once. Dan BoneheStream: Salsa 20 (SW+HW)Salsa20: {0,1} 128 or 256 {0,1}64 {0,1}n (max n = 273 bits)

Salsa20( k ; r) := H( k , (r, 0)) ll H( k , (r, 1)) ll

h: invertible function. designed to be fast on x86 (SSE2)0k1ri2k364 byteskri32 bytes64 byteoutputh(10 rounds)64 bytesDan BonehXor is actually word-wise addition. i fixed constant. 50Is Salsa20 secure (unpredictable) ?Unknown: no known provably secure PRGs

In reality: no known attacks better than exhaustive searchDan BonehPerformance:Crypto++ 5.6.0 [ Wei Dai ]AMD Opteron, 2.2 GHz ( Linux)

PRGSpeed (MB/sec)RC4126Salsa20/12 643Sosemanuk727

eStreamDan BonehGenerating Randomness (e.g. keys, IV)Pseudo random generators in practice: (e.g. /dev/random)Continuously add entropy to internal stateEntropy sources:Hardware RNG: Intel RdRand inst. (Ivy Bridge). 3Gb/sec. Timing: hardware interrupts (keyboard, mouse)NIST SP 800-90: NIST approved generators

Dan BonehEnd of SegmentDan BonehStream ciphersPRG Security DefsOnline Cryptography Course Dan Boneh

Dan BonehIn the next three segments we will change gears a little bit and talk about the definition of a PRG. This definition is a good way to think of a PRG and we will see many applications of t later on. 55Let G:K {0,1}n be a PRG

Goal: define what it means that

is indistinguishable fromDan BonehStatistical TestsStatistical test on {0,1}n: an alg. A s.t. A(x) outputs 0 or 1

Examples:

Dan Boneh|#0-#1| < 10 sqrt(n), |#00 n/4| < 10 sqrt{n}57Statistical TestsMore examples:Dan BonehRun length < log n58AdvantageLet G:K {0,1}n be a PRG and A a stat. test on {0,1}n

Define:

A silly example: A(x) = 0 AdvPRG [A,G] = 0

Dan BonehAdvantage is in [0,1]. (o good, 1 bad) Old definition using statistics tests: Simple statistical tests. 59Suppose G:K {0,1}n satisfies msb(G(k)) = 1 for 2/3 of keys in KDefine stat. test A(x) as:if [ msb(x)=1 ] output 1 else output 0ThenAdvPRG [A,G] = | Pr[ A(G(k))=1] - Pr[ A(r)=1 ] | = | 2/3 1/2 | = 1/6Dan BonehSecure PRGs: crypto definitionDef: We say that G:K {0,1}n is a secure PRG if Are there provably secure PRGs?but we have heuristic candidates. Dan BonehMention that cant prove secure PRGs exist since that would imply P \neq NP. 61Easy fact: a secure PRG is unpredictableWe show: PRG predictable PRG is insecure

Suppose A is an efficient algorithm s.t.

for non-negligible (e.g. = 1/1000)Dan BonehGive examples of distinguishers. 62Easy fact: a secure PRG is unpredictableDefine statistical test B as:Dan BonehGive examples of distinguishers. 63Thm (Yao82): an unpredictable PRG is secureLet G:K {0,1}n be PRG

Thm: if i {0, , n-1} PRG G is unpredictable at pos. i then G is a secure PRG.

If next-bit predictors cannot distinguish G from randomthen no statistical test can !!

Dan BonehGive examples of distinguishers. 64Let G:K {0,1}n be a PRG such that from the last n/2 bits of G(k) it is easy to compute the first n/2 bits.

Is G predictable for some i {0, , n-1} ?YesNoTemplatevertLeftWhite2More GenerallyLet P1 and P2 be two distributions over {0,1}n

Def: We say that P1 and P2 are computationally indistinguishable (denoted )

Example: a PRG is secure if { k K : G(k) } p uniform({0,1}n)RDan BonehEnd of SegmentDan BonehStream ciphersSemantic securityOnline Cryptography Course Dan Boneh

Goal: secure PRG secure stream cipherDan Boneh68What is a secure cipher?Attackers abilities: obtains one ciphertext (for now)Possible security requirements: attempt #1: attacker cannot recover secret key attempt #2: attacker cannot recover all of plaintext Recall Shannons idea: CT should reveal no info about PT Dan BonehRecall Shannons perfect secrecyLet (E,D) be a cipher over (K,M,C) (E,D) has perfect secrecy if m0, m1 M ( |m0| = |m1| ) { E(k,m0) } = { E(k,m1) } where kK(E,D) has perfect secrecy if m0, m1 M ( |m0| = |m1| ) { E(k,m0) } p { E(k,m1) } where kK but also need adversary to exhibit m0, m1 M explicitlyDan BonehSemantic Security (one-time key)For b=0,1 define experiments EXP(0) and EXP(1) as:

for b=0,1: Wb := [ event that EXP(b)=1 ]AdvSS[A,E] := | Pr[ W0 ] Pr[ W1 ] | [0,1]Chal.bAdv. AkKm0 , m1 M : |m0| = |m1|c E(k, mb)b {0,1}Dan BonehSemantic Security (one-time key)Def: E is semantically secure if for all efficient A AdvSS[A,E] is negligible.

for all explicit m0 , m1 M : { E(k,m0) } p { E(k,m1) }

Dan BonehAdv. B (us)ExamplesSuppose efficient A can always deduce LSB of PT from CT. E = (E,D) is not semantically secure. Chal.b{0,1}Adv. A(given)kKC E(k, mb)m0, LSB(m0)=0 m1, LSB(m1)=1 CLSB(mb)=bThen AdvSS[B, E] = | Pr[ EXP(0)=1 ] Pr[ EXP(1)=1 ] |= |0 1| = 1 Dan Boneh73The same holds for any predicate P for which you can construct m0,m1 efficiently.identical distributionsOTP is semantically secureFor all A: AdvSS[A,OTP] = | Pr[ A(km0)=1 ] Pr[ A(km1)=1 ] |= 0Chal.Adv. AkKm0 , m1 M : |m0| = |m1|c km0b {0,1}EXP(0):Chal.Adv. AkKm0 , m1 M : |m0| = |m1|c km1b {0,1}EXP(1):Dan Boneh74End of SegmentDan BonehStream ciphersStream ciphers are semantically secureOnline Cryptography Course Dan Boneh

Goal: secure PRG semantically secure stream cipherDan Boneh76Stream ciphers are semantically secureThm: G:K {0,1}n is a secure PRG stream cipher E derived from G is sem. sec.

sem. sec. adversary A , a PRG adversary B s.t.AdvSS[A,E] 2 AdvPRG[B,G] Dan BonehB has about the same running time as A. 77Proof: intuitionchal.adv. AkKm0 , m1c m0 G(k) b1chal.adv. AkKm0 , m1c m1 G(k) b1pppchal.adv. Ar{0,1}nm0 , m1c m0 r b1chal.adv. Ar{0,1}nm0 , m1c m1 r b1Dan BonehProof: Let A be a sem. sec. adversary.

For b=0,1: Wb := [ event that b=1 ]. AdvSS[A,E] = | Pr[ W0 ] Pr[ W1 ] |

Chal.bAdv. AkKm0 , m1 M : |m0| = |m1|c mb G(k) b {0,1}r{0,1}nDan Boneh79The same holds for any predicate P for which you can construct m0,m1 efficiently.Proof: Let A be a sem. sec. adversary.

For b=0,1: Wb := [ event that b=1 ]. AdvSS[A,E] = | Pr[ W0 ] Pr[ W1 ] |For b=0,1: Rb := [ event that b=1 ]

Chal.bAdv. AkKm0 , m1 M : |m0| = |m1|c mb r b {0,1}r{0,1}nDan Boneh80The same holds for any predicate P for which you can construct m0,m1 efficiently.Proof: Let A be a sem. sec. adversary.

Claim 1: |Pr[R0] Pr[R1]| =Claim 2: B: |Pr[Wb] Pr[Rb]| =

AdvSS[A,E] = |Pr[W0] Pr[W1]| 2 AdvPRG[B,G]

01Pr[W0]Pr[W1]Pr[Rb]Dan Boneh81Proof of claim 2: B: |Pr[W0] Pr[R0]| = AdvPRG[B,G]

Algorithm B:

AdvPRG[B,G] = PRG adv. B (us)Adv. A(given)c m0y y {0,1}nm0, m1b {0,1}Dan Boneh82End of SegmentDan Boneh